Kiwis hit in an international data breach last week could have their personal details sold off on a Trade Me-style site on the dark web, a cyber security expert says.
A couple hundred Wellingtonians were caught up in the data breach when an application the Wellington City Council uses was targeted by hackers.
The program, Typeform, which is used by other organisations including councils in the Waikato area, is a tool used internationally by groups wanting to get involved in public consultation.
The breach meant hackers potentially had access to the affected group's name, email and home addresses, business names, gender and phone numbers.
This information may be sold off to other cyber criminals on the dark web, said Aura Information Security general manager Peter Bailey.
"There's a market on the dark web for this kind of information. They package it up and sell it ... it works kind of like Trade Me," Bailey said.
"You look for a seller who's selling this kind of information, you check that they've got a decent star rating ... there's a real market and this is a real commodity for them to sell."
If only email addresses are stolen, this means the owners should be aware they are likely to receiving phishing or spam emails aimed at either gaining more of their information or giving their device a malicious virus.
If someone's bank account details are stolen, they should contact their bank immediately, and keep an eye out for unusual activity in their accounts.
But while those thefts had somewhat easy fixes, the theft of personal information can be more troublesome.
"They will go set up fake mortgages and fake bank accounts, they'll take the money and it will be under your name."
Anyone whose identity has been stolen in this way should contact police, Bailey said.
Unfortunately, while stolen credit card details lead simply to a cancelled card, and phishing emails can be ignored, stolen personal information has no easy solution.
"Once someone's got it, that stuff can really hurt you, that's why people get quite nervous about the data that companies are holding."
For these reasons, it is particularly important organisations and companies do their due diligence when using programmes or applications from a third party, he said.
They should be asking to see the third party's independent tests and evidence of the application's security, or should be carrying out their own independent testing.
They should also ask the third party about what plans they had in place if there was a data breach.
Council spokesman Richard MacLean said an email was sent out to "a couple of hundred" people whose data was compromised in the breach, warning them what had been potentially accessed and what to watch out for.
"We're obviously going to review whether we continue to use Typeform ... I think a lot of other organisations will be doing the same thing."
Typeform released a statement on its website, saying its engineering team became aware on June 27 that an "unknown third party" gained access to the server and downloaded "certain information".
"As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion."